Cyber Threat Intelligence 29 July 2024
-
Vulnerabilities
- Acronis Warns Of Cyber Infrastructure Default Password Abused In Attacks
"Acronis warned customers to patch a critical Cyber Infrastructure security flaw that lets attackers bypass authentication on vulnerable servers using default credentials. Acronis Cyber Protect (ACI) is a unified multi-tenant platform that combines remote endpoint management, backup, and virtualization capabilities and helps run disaster recovery workloads and store enterprise backup data securely. Over 20,000 service providers use ACI to protect over 750,000 businesses across more than 150 countries, according to Acronis."
https://www.bleepingcomputer.com/news/security/acronis-warns-of-cyber-infrastructure-default-password-abused-in-attacks/
https://security-advisory.acronis.com/updates/UPD-2310-9e7e-bd9b
Malware
- SeleniumGreed: Threat Actors Exploit Exposed Selenium Grid Services For Cryptomining
"Wiz Research has detected an ongoing threat campaign dubbed “SeleniumGreed” that exploits exposed Selenium Grid services to deploy cryptominers. Selenium is a popular open-source suite used for testing web applications, allowing users to write tests that simulate user interactions across different browsers and environments."
https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps
https://thehackernews.com/2024/07/ongoing-cyberattack-targets-exposed.html - Terrorist Activity Is Accelerating In Cyberspace - Risk Precursor To Summer Olympics And Elections
"Yesterday FBI Director Christopher Wray expressed growing concerns over the potential for a coordinated foreign terrorist attack in the United States. During his testimony to the House Oversight Committee, Mr. Wray cited the ISIS-K attack on Crocus City Hall in Moscow in March as an example of the type of threat the bureau is increasingly concerned about. He also mentioned the need for more help from international partners in addressing terrorism threats and highlighted the potential exploitation of the U.S. southern border by foreign terrorists."
https://www.resecurity.com/blog/article/terrorist-activity-is-accelerating-in-cyberspace-risk-precursor-to-summer-olympics-and-elections
https://securityaffairs.com/166179/breaking-news/terrorist-activity-alarm-terrorist-attacks.html
https://hackread.com/increased-cyberterrorism-activity-paris-olympics-warn/ - Malicious Python Package Targets MacOS Developers To Access Their GCP Accounts
"In a recent investigation, we discovered that the Python package, “lr-utils-lib”, contained hidden malicious code. The code, activated upon installation, targets macOS systems and attempts to steal Google Cloud Platform credentials by sending them to a remote server. Additionally, we discovered a link to a fake LinkedIn profile for “Lucid Zenith,” who falsely claimed to be the CEO of Apex Companies, LLC, indicating possible social engineering tactics."
https://checkmarx.com/blog/malicious-python-package-targets-macos-developers-to-access-their-gcp-accounts/
https://www.darkreading.com/threat-intelligence/targeted-pypi-package-steals-google-cloud-credentials-macos-devs
https://thehackernews.com/2024/07/malicious-pypi-package-targets-macos-to.html - GXC Team Unmasked: The Cybercriminal Group Targeting Spanish Bank Users With AI-Powered Phishing Tools And Android Malware
"In September 2023, Group-IB uncovered a previously unknown Spanish-speaking criminal group, GXC Team, operating a sophisticated AI-powered phishing-as-a-service platform. Targeting users of Spanish banks, GXC Team utilized unconventional tactics that posed a significant regional threat. Initially emerging in January 2023 on Telegram and Exploit.in, GXC Team specialized in developing and selling phishing kits, Android malware, and AI-powered scam tools. Their services included the sale of stolen banking credentials and custom coding for hire, operating under a malware-as-a-service model where customers could purchase phishing resources tailored to mimic bank domains."
https://www.group-ib.com/blog/gxc-team-unmasked/
https://thehackernews.com/2024/07/spanish-hackers-bundle-phishing-kits.html - Another European Parliament Member Says He's Been Targeted With Commercial Spyware
"A German member of Europe’s Parliament said his mobile phone was targeted with powerful commercial spyware in May, according to an X post he published Thursday night. The attempted infection, deemed likely to have emanated from prominent spyware vendor Candiru, masqueraded as an email from someone asking that he click on a link, said Daniel Freund, the Parliamentarian."
https://therecord.media/european-parliament-member-targeted-with-spyware - Scam Attacks Taking Advantage Of The Popularity Of The Generative AI Wave
"In this post, we explore the evolution of domain registration and network attacks associated with terms related to generative AI (GenAI). These trends are strongly correlated with the key milestones and developments in GenAI such as the launch of ChatGPT and its integration into the Bing search engine – and the buzz of interest around these events."
https://unit42.paloaltonetworks.com/cybersquatting-using-genai-keywords/ - HUR Hackers Shut Down Russian Banks And Internet Providers
"Cyber specialists from Ukraine’s Main Intelligence Directorate (HUR) have successfully hacked into Russia's banking and other payment systems, sources from the agency told Kyiv Post on Wednesday, July 24. As a result of the cyberattack, which began on the morning of July 23, payment systems, mobile applications of banks, personal accounts, public transport payment systems, etc. have ceased working or been significantly impeded. The hack has also caused interruptions to Russian major mobile operators and Internet providers across the country."
https://www.kyivpost.com/post/36296
https://securityaffairs.com/166214/cyber-warfare-2/atm-services-russian-banks-hacked.html - Two-Step Phishing Campaign Exploits Microsoft Office Forms
"Perception Point’s security research team has identified an alarming new phishing campaign. Attackers are abusing Microsoft Office Forms to launch sophisticated two-step phishing attacks. Office Forms, typically used for creating surveys and quizzes, are now being leveraged by threat actors to trick targeted users into divulging their Microsoft 365 (M365) credentials."
https://perception-point.io/blog/two-step-phishing-campaign-exploits-microsoft-office-forms/
Breaches/Hacks/Leaks
- Crypto Exchange Gemini Discloses Third-Party Data Breach
"Cryptocurrency exchange Gemini is warning it suffered a data breach incident caused by a cyberattack at its Automated Clearing House (ACH) service provider, whose name was not disclosed. The American crypto exchange began sending notices to impacted individuals a month ago, on June 26, 2024 but submitted a sample of the letters yesterday to the Attorney General's Office in California. According to the notification, Gemini suffered a third-party data breach when an unauthorized actor breached its vendor's systems between June 3 and June 7, 2024."
https://www.bleepingcomputer.com/news/security/crypto-exchange-gemini-discloses-third-party-data-breach/ - Hacktivists Claim Leak Of CrowdStrike Threat Intelligence
"A hacktivist group has claimed to have leaked CrowdStrike’s entire internal threat actor list, including indicators of compromise (IoC). CrowdStrike acknowledged the claims by the USDoD threat actor in a blog post on July 25, 2024. The firm noted that USDoD provided a link to download the alleged threat actor list and provided a sample of data fields on the notorious BreachForums cybercrime forum. The claims come in the wake of the global IT outage on July 19 caused by a bug in a content update for the CrowdStrike Falcon platform. The bug prevented affected systems from booting correctly, disrupting critical sectors such as airlines, banks, media and healthcare."
https://www.infosecurity-magazine.com/news/hacktivists-leak-crowdstrike/ - Columbus Reports Cyber Incident As Multiple Cities Recover From Ransomware Attacks
"The city of Columbus, Ohio said it is working to restore its systems after a cybersecurity incident forced the government to sever internet connectivity. City officials did not respond to requests for comment but released a statement this week explaining that while its 911 and employee payroll systems remain operational, several resident-facing IT services are dealing with outages that “may take time to restore.”"
https://therecord.media/columbus-ohio-cyber-incident-states-ransomware
General News
- 16% Of Organizations Experience Disruptions Due To Insufficient AI Maturity
"While sysadmins recognize AI’s potential, significant gaps in education, cautious organizational adoption, and insufficient AI maturity hinder widespread implementation, leading to mixed results and disruptions in 16% of organizations, according to Action1."
https://www.helpnetsecurity.com/2024/07/26/sysadmins-ai-implementation/ - AI-Generated Deepfake Attacks Force Companies To Reassess Cybersecurity
"As AI-generated deepfake attacks and identity fraud become more prevalent, companies are developing response plans to address these threats, according to GetApp. In fact, 73% of US respondents report that their organization has developed a deepfake response plan."
https://www.helpnetsecurity.com/2024/07/26/deepfake-response-plans/ - Most CISOs Feel Unprepared For New Compliance Regulations
"With the new stringent regulations, including the SEC’s cybersecurity disclosure rules in the USA and the Digital Operational Resilience Act (DORA) in the EU, a significant challenge is emerging for many organizations, according to Onyxia Cyber."
https://www.helpnetsecurity.com/2024/07/26/cisos-compliance-regulations-preparedness/ - Russian Ransomware Gangs Account For 69% Of All Ransom Proceeds
"Russian-speaking threat actors accounted for at least 69% of all crypto proceeds linked to ransomware throughout the previous year, exceeding $500,000,000. This number is from TRM Labs, a blockchain intelligence and analytics firm specializing in crypto-assisted money laundering and financial crime. North Korea is the leader in stealing cryptocurrency through exploits and breaches, having stolen over a billion dollars in 2023. Asia also remains the leader in scams and investment fraud."
https://www.bleepingcomputer.com/news/security/russian-ransomware-gangs-account-for-69-percent-of-all-ransom-proceeds/
https://www.trmlabs.com/post/new-trm-report-reveals-russian-speaking-groups-dominate-ransomware
https://www.trmlabs.com/comrades-in-crime-exploring-the-russian-speaking-illicit-crypto-ecosystem - Could Intel Have Fixed Spectre & Meltdown Bugs Earlier?
"The Spectre and Meltdown chip vulnerabilities could have been resolved much earlier had chip makers taken reports from academic researchers more seriously, says one researcher who helped unveiled the hardware bug. Daniel Gruss, a researcher at Graz University of Technology, hasn't had a break since Meltdown and Spectre came to light. Chip vulnerabilities are multiplying with increasingly complex chip designs and the emergence of new technologies such as GPUs and confidential computing."
https://www.darkreading.com/vulnerabilities-threats/could-intel-have-fixed-meltdown-spectre-earlier - Distributing Security Responsibilities (Responsibly)
"Love it or hate it, cybersecurity compliance continues to be top of mind across private organizations and federal bodies alike. With new regulations on emerging technology continuing to be developed and introduced, even the US Senate is proposing legislation to streamline federal cybersecurity regulations."
https://www.darkreading.com/vulnerabilities-threats/distributing-security-responsibilities-responsibly - Despite Bans, AI Code Tools Widespread In Organizations
"Organizations are concerned about security threats stemming from developers using AI, according to a new Checkmarx report. The cloud-native application security provider found that 15% of organizations explicitly prohibit the use of AI tools for code generation, however 99% say that AI code-generating tools are being used regardless. Meanwhile, just 29% of organizations have established any form of governance for the use of generative AI."
https://www.infosecurity-magazine.com/news/ai-code-tools-widespread-in/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Acronis Warns Of Cyber Infrastructure Default Password Abused In Attacks